# 🔐 SHA-3 Derived Functions Implementation

[![Python](https://img.shields.io/badge/Python-3.6+-blue.svg)](https://python.org)
[![Implementation](https://img.shields.io/badge/Implementation-From%20Scratch-green.svg)](https://github.com)
[![Standard](https://img.shields.io/badge/Standard-NIST%20SP%20800--185-red.svg)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf)

> 🚀 **A complete from-scratch implementation of SHA-3 derived cryptographic functions at the bit level**

## 📋 Overview

This project provides a **pure Python implementation** of SHA-3 derived functions as specified in [NIST SP 800-185](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf). Every function is implemented **entirely from scratch** at the **bit manipulation level** without relying on external cryptographic libraries.

## ✨ Features

### 🔧 Core Functions Implemented

- **🌀 SHAKE128/256** - Extendable-Output Functions (XOFs)
- **🎯 cSHAKE128/256** - Customizable SHAKE Functions
- **🔑 KMAC128/256** - Keccak-based Message Authentication Code
- **🔑 KMACXOF128/256** - KMAC with Extendable Output
- **📦 TupleHash128/256** - Hash Function for Tuple Data
- **📦 TupleHashXOF128/256** - TupleHash with Extendable Output
- **⚡ ParallelHash128/256** - Parallel Hash Function
- **⚡ ParallelHashXOF128/256** - ParallelHash with Extendable Output

### 🔩 Low-Level Implementation Details

- **🧬 Bit-level Operations**: All operations performed at individual bit level
- **🔄 Keccak-f[1600] Permutation**: Complete implementation of the 24-round permutation
- **🎭 State Array Manipulation**: 3D state array operations (5×5×64)
- **🔀 Round Functions**: Theta (θ), Rho (ρ), Pi (π), Chi (χ), and Iota (ι) steps
- **📏 Padding Schemes**: Multi-rate padding and domain separation
- **🧮 Encoding Functions**: left_encode, right_encode, encode_string, bytepad

## 🏗️ Architecture

```
┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
│   Input Data    │ ── │  Keccak Sponge   │ ── │  Output Hash    │
│   (String/Bits) │    │   Construction   │    │  (Hex String)   │
└─────────────────┘    └──────────────────┘    └─────────────────┘
                              │
                    ┌─────────┴─────────┐
                    │ Keccak-f[1600]    │
                    │ Permutation       │
                    │ (24 rounds)       │
                    └───────────────────┘
```

## 🚀 Quick Start

### Basic Usage Examples

```python
# 🌀 SHAKE Functions
print("SHAKE128:", shake128("hello", 256))
print("SHAKE256:", shake256("hello", 512))

# 🎯 Customizable SHAKE
print("cSHAKE128:", cshake128("hello", 256, "MyFunction", "MyApp"))
print("cSHAKE256:", cshake256("hello", 512, "MyFunction", "MyApp"))

# 🔑 Keyed MAC Functions
print("KMAC128:", kmac128("secret_key", "message", 256, "custom"))
print("KMAC256:", kmac256("secret_key", "message", 512, "custom"))

# 📦 Tuple Hashing
print("TupleHash128:", tuplehash128(["apple", "banana", "cherry"], 256))
print("TupleHash256:", tuplehash256(["apple", "banana", "cherry"], 512))

# ⚡ Parallel Hashing
msg = "The quick brown fox jumps over the lazy dog"
print("ParallelHash128:", parallelhash128(msg, 16, 256))
print("ParallelHash256:", parallelhash256(msg, 16, 512))
```

## 🔬 Technical Implementation

### Keccak-f[1600] Round Function

Each round consists of five steps:

1. **θ (Theta)**: Column parity computation and XOR
2. **ρ (Rho)**: Bitwise rotation of lanes
3. **π (Pi)**: Lane position rearrangement  
4. **χ (Chi)**: Non-linear bit mixing
5. **ι (Iota)**: Round constant addition

### State Array Structure

```python
# 3D State Array: A[x][y][z]
# - x, y ∈ {0, 1, 2, 3, 4} (5×5 lanes)
# - z ∈ {0, 1, ..., 63} (64-bit words)
# Total: 1600 bits (5 × 5 × 64)
```

### Bit-Level Operations

- **🔄 Bit Reversal**: Custom byte-level bit reversal for Keccak bit ordering
- **📐 Padding**: Multi-rate padding with domain separation suffixes
- **🔀 Permutation**: 24-round Keccak-f permutation with round constants
- **🧮 Encoding**: NIST SP 800-185 compliant encoding functions

## ✅ Verification & Testing

The implementation has been **extensively tested** against the official PyCryptodome library:

```python
# 🧪 Test Results: 50/50 PASSED for all functions
✅ cSHAKE128      : 50/50
✅ cSHAKE256      : 50/50  
✅ KMAC128        : 50/50
✅ KMAC256        : 50/50
✅ TupleHash128   : 50/50
✅ TupleHash256   : 50/50
```

## 📊 Function Specifications

| Function | Security Level | Rate (bits) | Capacity (bits) | Output |
|----------|---------------|-------------|-----------------|---------|
| SHAKE128 | 128-bit | 1344 | 256 | Variable |
| SHAKE256 | 256-bit | 1088 | 512 | Variable |
| cSHAKE128 | 128-bit | 1344 | 256 | Variable |
| cSHAKE256 | 256-bit | 1088 | 512 | Variable |
| KMAC128 | 128-bit | 1344 | 256 | Variable |
| KMAC256 | 256-bit | 1088 | 512 | Variable |

## 🎯 Key Features

- **🔧 Pure Python**: No external crypto dependencies
- **🧬 Bit-Level**: Complete bit manipulation implementation
- **📋 NIST Compliant**: Follows NIST SP 800-185 specification exactly
- **✅ Verified**: Tested against reference implementations
- **📚 Educational**: Clear, readable code for learning purposes
- **🔄 Complete**: All major SHA-3 derived functions included

## 📖 Standards Compliance

This implementation strictly follows:

- **[NIST SP 800-185](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf)**: SHA-3 Derived Functions
- **FIPS 202**: SHA-3 Standard
- **Keccak Specification**: Original Keccak team specifications

## 🏆 Why This Implementation?

- **🎓 Educational Value**: Understand SHA-3 at the deepest level
- **🔍 Transparency**: Every bit operation is visible and understandable
- **🧪 Research**: Perfect for cryptographic research and analysis
- **🔧 Customization**: Easy to modify for experimental purposes
- **📚 Reference**: Serves as a reference implementation

## 🚨 Security Notice

⚠️ **This implementation is for educational and research purposes. For production use, always use well-tested, optimized cryptographic libraries.**

## 🤝 Contributing

Contributions are welcome! Please ensure:

- 📝 Code follows the existing bit-level implementation style
- ✅ All tests pass against reference implementations
- 📚 Documentation is updated accordingly
- 🔍 Security considerations are maintained

## 📜 License

This project is open source and available under the MIT License.

---

**Built with ❤️ and lots of ☕ by cryptography enthusiasts**

🔗 **Reference**: [NIST SP 800-185 - SHA-3 Derived Functions](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf)

In [91]:
def reverse_bits_in_byte(b):
    return int('{:08b}'.format(b)[::-1], 2)

def str_to_keccak_bits(msg):
    return ''.join(format(reverse_bits_in_byte(b), '08b') for b in msg.encode('utf-8'))
#padding function for shake128 shake256 and other SHA-3(224,256,384,512)
def keccak_pad_2(msg_bits, r, suffix_bits):
    m = list(msg_bits)
    m += list(suffix_bits)
    pad_len = (-len(m) - 1) % r
    m += ['0'] * pad_len
    m.append('1')
    return ''.join(m)
#padding function for cshake128 cshake256
def keccak_pad(msg_bits, r, suffix_bits):
    m = msg_bits + suffix_bits + '1'
    pad_len = (-len(m) - 1) % r
    m += '0' * pad_len + '1'
    return m
def string_to_state_array(S, x=5, y=5, w=64):
    """
    Converts a string S of b = x * y * w bits to a 3D state array A[x][y][w].
    Each A[x][y][z] is a bit (0 or 1).
    """
    if len(S) != x * y * w:
        raise ValueError("Length of input S must be x * y * w bits")

    A = [[[0 for z in range(w)] for y_ in range(y)] for x_ in range(x)]

    for i in range(x):
        for j in range(y):
            for k in range(w):
                A[i][j][k] = int(S[w * (5 * j + i) + k])

    return A

def state_array_to_string(A, x=5, y=5, w=64):
    """
    Converts a 3D state array A into a string S as per Keccak specification.
    """
    Lane_i_j = [['' for _ in range(y)] for _ in range(x)]  # 5x5 matrix of empty strings

    for i in range(x):
        for j in range(y):
            for k in range(w):
                # integer bit to string before concatenation
                Lane_i_j[i][j] += str(A[i][j][k])

    plane_j = ['' for _ in range(y)]  # one string for each plane j

    for j in range(y):
        for i in range(x):
            plane_j[j] += Lane_i_j[i][j]

    S = ''.join(plane_j)  # concatenate Plane(0) || Plane(1) || ...
    return S

def theta(A, w=64):
    """
    Keccak Theta step: modifies the state array A in-place based on the Theta transformation.

    Args:
        A: 3D state array A[x][y][z] where x, y in [0..4], z in [0..w-1]
        w: lane size (e.g., 64 for SHA3-512)

    Returns:
        A′: New state array after applying theta step.
    """
    C = [[0] * w for _ in range(5)]
    for x in range(5):
        for z in range(w):
            C[x][z] = A[x][0][z]
            for y in range(1, 5):
                C[x][z] ^= A[x][y][z]

    D = [[0] * w for _ in range(5)]
    for x in range(5):
        for z in range(w):
            D[x][z] = C[(x - 1) % 5][z] ^ C[(x + 1) % 5][(z - 1) % w]

    A_prime = [[[0] * w for _ in range(5)] for _ in range(5)]
    for x in range(5):
        for y in range(5):
            for z in range(w):
                A_prime[x][y][z] = A[x][y][z] ^ D[x][z]

    return A_prime

def rho(A, w=64):
    """
    Keccak Rho step: performs bitwise rotations on the lanes of A according to fixed offsets.

    Args:
        A: 3D state array A[x][y][z], where x, y in [0..4], z in [0..w-1]
        w: lane size (e.g., 64 for SHA3-512)

    Returns:
        A_prime: new state array after applying rho step.
    """
    A_prime = [[[0] * w for _ in range(5)] for _ in range(5)]

    for z in range(w):
        A_prime[0][0][z] = A[0][0][z]

    x, y = 1, 0

    for t in range(24):
        offset = ((t + 1) * (t + 2)) // 2

        for z in range(w):
            rotated_index = (z - offset) % w
            A_prime[x][y][z] = A[x][y][rotated_index]

        x, y = y, (2 * x + 3 * y) % 5

    return A_prime

def pi(A, w=64):
    """
    Keccak Pi step: rearranges the lanes.

    Args:
        A: 3D state array A[x][y][z], where x, y in [0..4], z in [0..w-1]
        w: lane size

    Returns:
        A_prime: new state array after applying pi step.
    """
    A_prime = [[[0] * w for _ in range(5)] for _ in range(5)]

    for x in range(5):
        for y in range(5):
            for z in range(w):
                A_prime[x][y][z] = A[(x + 3 * y) % 5][x][z]

    return A_prime

def chi(A, w=64):
    """
    Keccak Chi step: applies non-linear mixing of bits within each row.

    Args:
        A: 3D state array A[x][y][z], where x, y in [0..4], z in [0..w-1]
        w: lane size

    Returns:
        A_prime: new state array after applying chi step.
    """
    A_prime = [[[0] * w for _ in range(5)] for _ in range(5)]

    for x in range(5):
        for y in range(5):
            for z in range(w):
                A_prime[x][y][z] = A[x][y][z] ^ ((A[(x + 1) % 5][y][z] ^ 1) & A[(x + 2) % 5][y][z])

    return A_prime

def rc_bit(t):
    if t % 255 == 0:
        return 1

    R = ['1', '0', '0', '0', '0', '0', '0', '0']
    for i in range(1, t % 255 + 1):
        R = ['0'] + R

        R[0] = str(int(R[0]) ^ int(R[8]))
        R[4] = str(int(R[4]) ^ int(R[8]))
        R[5] = str(int(R[5]) ^ int(R[8]))
        R[6] = str(int(R[6]) ^ int(R[8]))

        R = R[:8]

    return int(R[0])

def iota(A, ir, w=64):
    """
    Keccak Iota step: adds round constant to A[0][0]

    Args:
        A: 3D state array A[x][y][z], where x, y in [0..4], z in [0..w-1]
        ir: round index (0 to 23)
        w: lane size

    Returns:
        A_prime: state array with round constant added to A[0][0]
    """
    A_prime = [[[A[x][y][z] for z in range(w)] for y in range(5)] for x in range(5)]

    RC = [0] * w
    l=6

    for j in range(l + 1):
        bit_position = (1 << j) - 1
        RC[bit_position] = rc_bit(j + 7 * ir)

    for z in range(w):
        A_prime[0][0][z] ^= RC[z]

    return A_prime

def Rnd(A, ir):
    """
    One round of the Keccak-f permutation.

    Args:
        A: 2D state array A[x][y], where x, y in [0..4], each element is a w-bit integer.
        ir: round index (0 to 23)

    Returns:
        A: State array after applying one round.
    """
    A = theta(A,64)
    A = rho(A)
    A = pi(A)
    A = chi(A)
    A = iota(A, ir)
    return A

def KECCAK_p_1600_24(S):
    A = string_to_state_array(S)
    for ir in range(24):
        A = Rnd(A, ir)
    return state_array_to_string(A)

def sponge(f, P, r, d):
    n = len(P) // r
    blocks = [P[i*r:(i+1)*r] for i in range(n)]
    c = 1600 - r
    S = '0' * 1600
    for Pi in blocks:
        Pi_padded = Pi + '0'*c
        S = bin(int(S, 2) ^ int(Pi_padded, 2))[2:].zfill(1600)
        S = f(S)
    Z = ''
    while len(Z) < d:
        Z += S[:r]
        if len(Z) >= d:
            break
        S = f(S)
    return Z[:d]

def bin_to_hex_keccak(bits):
    out = []
    for i in range(0, len(bits), 8):
        b = bits[i:i+8]
        if len(b) < 8:
            b = b.ljust(8, '0')
        out.append(reverse_bits_in_byte(int(b, 2)))
    return ''.join('{:02x}'.format(x) for x in out)

def keccak_hash(msg, r, d, suffix_bits):
    msg_bin = str_to_keccak_bits(msg)
    padded_bits = keccak_pad_2(msg_bin, r, suffix_bits)
    digest_bits= sponge(KECCAK_p_1600_24, padded_bits, r, d)
    return bin_to_hex_keccak(digest_bits)

def shake128(msg, outbits):
    return keccak_hash(msg, 1344, outbits, '11111')

def shake256(msg, outbits):
    return keccak_hash(msg, 1088, outbits, '11111')

def left_encode(x: int) -> str:
    """
    NIST SP 800-185 left_encode(x):
      output = enc8(n) || enc256_be(x) in exactly n bytes,
      where n = smallest positive s.t. x < 256**n.
    Returns a bit-string.
    """
    if x < 0:
        raise ValueError("left_encode: x must be ≥ 0")
    # find n
    n = 1
    while x >= (256 ** n):
        n += 1
    out_bytes = bytes([n]) + x.to_bytes(n, 'big')
    return ''.join(f'{b:08b}' for b in out_bytes)

def encode_string(S_bits: str) -> str:
    """
    NIST SP 800-185 encode_string(S):
      output = left_encode(len(S)) || S
    where len(S) is the bit-length of S.
    """
    return left_encode(len(S_bits)) + S_bits

def bytepad(X_bits: str, w_bytes: int) -> str:
    """
    NIST SP 800-185 bytepad(X, w):
      z = left_encode(w) || X
      then pad z with '0's to a byte boundary,
      then pad whole zero-bytes until (len(z)/8) mod w == 0.
    """
    if w_bytes <= 0:
        raise ValueError("bytepad: w must be > 0")
    z = left_encode(w_bytes) + X_bits
    while len(z) % 8 != 0:
        z += '0'
    while (len(z) // 8) % w_bytes != 0:
        z += '0' * 8
    return z

def string_to_bits(s: str) -> str:
    """Convert a string to its bit representation (standard byte order)."""
    return ''.join(f'{b:08b}' for b in s.encode('utf-8'))

def bits_to_bytes(bits: str) -> bytes:
    """Convert bit string to bytes."""
    # Pad to byte boundary
    while len(bits) % 8 != 0:
        bits += '0'

    result = bytearray()
    for i in range(0, len(bits), 8):
        byte_bits = bits[i:i+8]
        result.append(int(byte_bits, 2))
    return bytes(result)

def bytes_to_keccak_bits(data: bytes) -> str:
    """Convert bytes to Keccak bit format (with bit reversal)."""
    return ''.join(format(reverse_bits_in_byte(b), '08b') for b in data)

def cshake_hash(msg, outbits, N, S, r):
    # Convert N and S to bit strings
    N_bits = string_to_bits(N)
    S_bits = string_to_bits(S)

    # Encode strings
    encoded_N = encode_string(N_bits)
    encoded_S = encode_string(S_bits)

    # Compute prefix with bytepad
    prefix_bits = bytepad(encoded_N + encoded_S, r // 8)

    # Convert prefix to Keccak bit order
    prefix_bytes = bits_to_bytes(prefix_bits)
    prefix_keccak_bits = bytes_to_keccak_bits(prefix_bytes)

    # Convert message to Keccak bit order
    msg_keccak_bits = str_to_keccak_bits(msg)

    # Concatenate prefix and message
    full_input = prefix_keccak_bits + msg_keccak_bits

    # Apply padding and process with sponge
    padded_bits = keccak_pad(full_input, r, '00')
    digest_bits = sponge(KECCAK_p_1600_24, padded_bits, r, outbits)

    return bin_to_hex_keccak(digest_bits)

def cshake128(msg: str, outbits: int, N: str = '', S: str = '') -> str:
    """
    cSHAKE128 - Customizable SHAKE with 128-bit security level.

    Args:
        msg: Input message string
        outbits: Output length in bits
        N: Function name string (optional)
        S: Customization string (optional)

    Returns:
        Hex digest string
    """
    if(N =='' and S==''):
       return shake128(msg,outbits)
    return cshake_hash(msg, outbits, N, S, 1344)

def cshake256(msg: str, outbits: int, N: str = '', S: str = '') -> str:
    """
    cSHAKE256 - Customizable SHAKE with 256-bit security level.

    Args:
        msg: Input message string
        outbits: Output length in bits
        N: Function name string (optional)
        S: Customization string (optional)

    Returns:
        Hex digest string
    """
    if(N=='' and  S==''):
      return shake256(msg,outbits)
    return cshake_hash(msg, outbits, N, S, 1088)

if __name__ == "__main__":
    msg = "hello"

    print("SHAKE128 (256 bits):", shake128(msg, 256))
    print("SHAKE256 (512 bits):", shake256(msg, 512))

    print("\n=== cSHAKE Functions ===")

    print("cSHAKE128 (empty N,S, 256 bits):", cshake128(msg, 256))
    print("cSHAKE256 (empty N,S, 512 bits):", cshake256(msg, 512))

    function_name = "MyFunction"
    customization = "MyApp"

    print(f"cSHAKE128 (N='{function_name}', S='{customization}', 256 bits):")
    result = cshake128(msg, 256, function_name, customization)
    print(result)
    print("Expected: b55176143ed71bada5db183a520eb43b4b382251ea31db587224314a7d99797b")
    print("Match:", result == "b55176143ed71bada5db183a520eb43b4b382251ea31db587224314a7d99797b")

    print(f"cSHAKE256 (N='{function_name}', S='{customization}', 512 bits):")
    print(cshake256(msg, 512, function_name, customization))

    print(f"cSHAKE128 (N='{function_name}', S='', 256 bits):")
    print(cshake128(msg, 256, function_name, ''))

    print(f"cSHAKE128 (N='', S='{customization}', 256 bits):")
    print(cshake128(msg, 256, '', customization))

    print("\n=== Verification ===")
    shake128_result = shake128(msg, 256)
    cshake128_empty_result = cshake128(msg, 256, '', '')
    print("SHAKE128 == cSHAKE128 (empty):", shake128_result == cshake128_empty_result)

    shake256_result = shake256(msg, 512)
    cshake256_empty_result = cshake256(msg, 512, '', '')
    print("SHAKE256 == cSHAKE256 (empty):", shake256_result == cshake256_empty_result)
    print(cshake128('A', 256, 'A', 'A'))
    print(cshake256('HARSHITA', 512, 'ABCDEFG', 'ABCDEFG'))

SHAKE128 (256 bits): 8eb4b6a932f280335ee1a279f8c208a349e7bc65daf831d3021c213825292463
SHAKE256 (512 bits): 1234075ae4a1e77316cf2d8000974581a343b9ebbca7e3d1db83394c30f221626f594e4f0de63902349a5ea5781213215813919f92a4d86d127466e3d07e8be3

=== cSHAKE Functions ===
cSHAKE128 (empty N,S, 256 bits): 8eb4b6a932f280335ee1a279f8c208a349e7bc65daf831d3021c213825292463
cSHAKE256 (empty N,S, 512 bits): 1234075ae4a1e77316cf2d8000974581a343b9ebbca7e3d1db83394c30f221626f594e4f0de63902349a5ea5781213215813919f92a4d86d127466e3d07e8be3
cSHAKE128 (N='MyFunction', S='MyApp', 256 bits):
b55176143ed71bada5db183a520eb43b4b382251ea31db587224314a7d99797b
Expected: b55176143ed71bada5db183a520eb43b4b382251ea31db587224314a7d99797b
Match: True
cSHAKE256 (N='MyFunction', S='MyApp', 512 bits):
30a284b92da19d52500feaed40bafea1cbaba725bc240bcf1aff7f1dfdab4f6e09d2dc1d1003212b57d5e8bcfde254a0802ca3b86b4486155236944358148364
cSHAKE128 (N='MyFunction', S='', 256 bits):
cb414ceb508712c05768863ee705ddd22066d97f2ca94d2ab5bc910

In [20]:
import math

def kmac_custom(input_bits: str, L: int, rate: int, function_name: str, customization: str) -> str:
    """
    Internal helper for KMAC: runs cSHAKE(rate) on bitstream input_bits
    with function name and customization string.

    Parameters:
        input_bits (str): Full input to be hashed (already in Keccak-bit order)
        L (int): Desired output length in bits
        rate (int): Bitrate of the function (1344 for KMAC128, 1088 for KMAC256)
        function_name (str): "KMAC"
        customization (str): Custom string S

    Returns:
        str: Hex digest output
    """
    N_bits = string_to_bits(function_name)
    S_bits = string_to_bits(customization)
    encoded_N = encode_string(N_bits)
    encoded_S = encode_string(S_bits)

    prefix_bits = bytepad(encoded_N + encoded_S, rate // 8)
    prefix_bytes = bits_to_bytes(prefix_bits)
    prefix_keccak_bits = bytes_to_keccak_bits(prefix_bytes)

    full_input = prefix_keccak_bits + input_bits
    padded_bits = keccak_pad(full_input, rate, '00')

    digest_bits = sponge(KECCAK_p_1600_24, padded_bits, rate, L)
    return bin_to_hex_keccak(digest_bits)

def right_encode_bytes(x: int) -> bytes:
    """
    NIST SP 800-185 right_encode, but return raw bytes.
    """
    if x < 0:
        raise ValueError("right_encode: x must be ≥ 0")
    n = 1
    while x >= 256**n:
        n += 1
    return x.to_bytes(n, 'big') + bytes([n])

def kmac128(K: str, X: str, L: int, S: str = '') -> str:
    """
    KMAC128(K, X, L, S) = cSHAKE128(
        bytepad(encode_string(K), 168)_keccak || X_keccak || right_encode(L)_keccak,
        L, "KMAC", S
    )
    """
    K_bits       = string_to_bits(K)
    pad_bits     = bytepad(encode_string(K_bits), 168)
    pad_bytes    = bits_to_bytes(pad_bits)
    pad_keccak   = bytes_to_keccak_bits(pad_bytes)

    msg_keccak   = str_to_keccak_bits(X)

    right_bytes  = right_encode_bytes(L)
    right_keccak = bytes_to_keccak_bits(right_bytes)

    newX_bits = pad_keccak + msg_keccak + right_keccak
    return kmac_custom(newX_bits, L, 1344, "KMAC", S)

def kmac256(K: str, X: str, L: int, S: str = '') -> str:
    """
    KMAC256(K, X, L, S) = cSHAKE256(
        bytepad(encode_string(K), 136)_keccak || X_keccak || right_encode(L)_keccak,
        L, "KMAC", S
    )
    """
    K_bits       = string_to_bits(K)
    pad_bits     = bytepad(encode_string(K_bits), 136)
    pad_bytes    = bits_to_bytes(pad_bits)
    pad_keccak   = bytes_to_keccak_bits(pad_bytes)

    msg_keccak   = str_to_keccak_bits(X)

    right_bytes  = right_encode_bytes(L)
    right_keccak = bytes_to_keccak_bits(right_bytes)

    newX_bits = pad_keccak + msg_keccak + right_keccak
    return kmac_custom(newX_bits, L, 1088, "KMAC", S)


In [21]:
print("Computed KMAC128:", kmac128("key", "message123", 256, "custo"))
print(kmac256("key","prasanna",512,"custom"))

Computed KMAC128: d66c1d2140d4d47f09698d4a6d7b88517f4cfd379b5897ab58dab7f86e4be4dd
2aa61f4888fad7bbc5a8161c39ce6a596974db31085f73d3a02d4a8cb91494aaa31e6dcdfb382b03574152a5e2f471b0d971890b6b293dc3d13de0fed7d3b1f2


In [22]:
def kmacxof128(K: str, X: str, L: int, S: str = '') -> str:
    """
    KMACXOF128(K, X, L, S) = cSHAKE128(
        bytepad(encode_string(K), 168)_keccak || X_keccak || right_encode(0)_keccak,
        L, "KMAC", S
    )
    Supports arbitrary-length L.
    """
    K_bits       = string_to_bits(K)
    pad_bits     = bytepad(encode_string(K_bits), 168)
    pad_bytes    = bits_to_bytes(pad_bits)
    pad_keccak   = bytes_to_keccak_bits(pad_bytes)

    msg_keccak   = str_to_keccak_bits(X)

    right_bytes  = right_encode_bytes(0)
    right_keccak = bytes_to_keccak_bits(right_bytes)

    newX_bits = pad_keccak + msg_keccak + right_keccak
    return kmac_custom(newX_bits, L, 1344, "KMAC", S)

def kmacxof256(K: str, X: str, L: int, S: str = '') -> str:
    """
    KMACXOF256(K, X, L, S) = cSHAKE256(
        bytepad(encode_string(K), 136)_keccak || X_keccak || right_encode(0)_keccak,
        L, "KMAC", S
    )
    Supports arbitrary-length L.
    """
    K_bits       = string_to_bits(K)
    pad_bits     = bytepad(encode_string(K_bits), 136)
    pad_bytes    = bits_to_bytes(pad_bits)
    pad_keccak   = bytes_to_keccak_bits(pad_bytes)

    msg_keccak   = str_to_keccak_bits(X)

    right_bytes  = right_encode_bytes(0)
    right_keccak = bytes_to_keccak_bits(right_bytes)

    newX_bits = pad_keccak + msg_keccak + right_keccak
    return kmac_custom(newX_bits, L, 1088, "KMAC", S)


In [28]:
print("KMACXOF128:", kmacxof128("key", "message", 512, "custom"))
print("KMACXOF256:", kmacxof256("key", "message", 512, "custom"))

KMACXOF128: 62bb9ee7a45bdf3225243cb0da978dba2edcc546974acae7fd002f8c65f63836d56ca98f945f12c78052b6410dd64c0bf6963e81f127fa3829af87fbdf69be47
KMACXOF256: 16f00e5af3ebb712c732da2b7020438567c682a55f2b8154b303698a903c3a2e772cd319bab0cef27ba461d2f6a8a459f4f78b6ca6865c97210021fd83a8044e


In [46]:
def tuplehash_core(X_list: list[str],
                   L: int,
                   rate: int,
                   xof: bool,
                   S: str,
                   function_name="TupleHash") -> str:
    z_bits = ''
    for x in X_list:
        x_bits = string_to_bits(x)            # raw UTF-8 bits
        z_bits += encode_string(x_bits)      # left_encode(len(x_bits)) || x_bits

    z_bytes = bits_to_bytes(z_bits)
    z_keccak_bits = bytes_to_keccak_bits(z_bytes)

    right_encoded = right_encode_bytes(0 if xof else L)
    right_keccak = bytes_to_keccak_bits(right_encoded)

    newX_bits = z_keccak_bits + right_keccak

    return kmac_custom(newX_bits, L, rate, function_name, S)


In [47]:
def tuplehash128(X, L, S=''):
    return tuplehash_core(X, L, 1344, False, S)

def tuplehash256(X, L, S=''):
    return tuplehash_core(X, L, 1088, False, S)

def tuplehashxof128(X, L, S=''):
    return tuplehash_core(X, L, 1344, True, S)

def tuplehashxof256(X, L, S=''):
    return tuplehash_core(X, L, 1088, True, S)


In [50]:
print(tuplehash128(["apple","banana","cherry"], 256, ""))
print(tuplehash256(["apple","banana","cherry"], 256, ""))
print(tuplehashxof128(["apple","banana","cherry"], 256, ""))
print(tuplehashxof256(["apple","banana","cherry"], 256, ""))

cf318fc17ffc32de27a3a42e052c19c77d508c29a372a95bea14032f331bedfe
4cf2cd599b7b713b52e3854b5c8e1f7298816158507e4fd61cf5ef22600aa2c3
22d154b9629448174abfa69117febf90c78395475ebba5852ba530a87f97b6bb
2f4180511bc29a31108193d023e3952ae91012ed0c7d6e7bce6d7937c0c18907


In [56]:
print(tuplehash128(["MAC","cryptography","security"],512,""))
print(tuplehash256(["MAC","cryptography","security"],512,""))
print(tuplehashxof128(["MAC","cryptography","security"],512,""))
print(tuplehashxof256(["MAC","cryptography","security"],512,""))

c365f47903ac6a19677a87a72c635e473fdc5183e34ee144002c3f9b7fae9fd6d5fbd23b2f1e0693f13892de9bea58eb8b421091cb8bb23c653fe6bd61d59443
c559bc5a0badf913e5468714db904822412e733fb95cea82080cb8cab16abd8a460e4b941238aa3caab0e91b5e32d2468873a29ea7b8725cd48f7b9e18030fef
09dedd646d5a6deb910367f990c09924c3270bc9c0f89e1d5f98e1a45cbd759a09ebb91373c9ab088599de4108be6f795420d0ba8af391eff6af00a1e4c7373d
b692a51451ec5ecb2445d07431b70f85dec56375ec4fa1483f8fd2df9db90befa1883b30edb846b9999fcdfb469dfaeffe51800075d3885c6fec21ba77609aea


In [61]:
import math

def parallelhash_core(X: str, B: int, L: int, rate: int, outbits_per_chunk: int,
                      xof: bool, S: str, function_name: str) -> str:
    """
    Shared implementation for ParallelHash and ParallelHashXOF.

    Parameters:
        X: Input message string
        B: Block size in bytes
        L: Desired output length in bits
        rate: Bitrate (1344 for 128, 1088 for 256)
        outbits_per_chunk: Output size per inner cSHAKE call (256 or 512)
        xof: If True, use right_encode(0)
        S: Customization string
        function_name: e.g. "ParallelHash"

    Returns:
        Hex digest string
    """
    X_bytes = X.encode("utf-8")
    total_bytes = len(X_bytes)
    n = math.ceil(total_bytes / B)

    z_bits = left_encode(B)

    for i in range(n):
        chunk = X_bytes[i*B : (i+1)*B]
        chunk_str = chunk.decode('latin1')  # preserve byte values
        if rate == 1344:
            digest_hex = cshake128(chunk_str, outbits_per_chunk, "", "")
        else:
            digest_hex = cshake256(chunk_str, outbits_per_chunk, "", "")
        digest_bytes = bytes.fromhex(digest_hex)
        digest_keccak_bits = bytes_to_keccak_bits(digest_bytes)
        z_bits += digest_keccak_bits

    z_bits += bytes_to_keccak_bits(right_encode_bytes(n))
    z_bits += bytes_to_keccak_bits(right_encode_bytes(0 if xof else L))

    return kmac_custom(z_bits, L, rate, function_name, S)


In [62]:
def parallelhash128(X: str, B: int, L: int, S: str = '') -> str:
    return parallelhash_core(X, B, L, 1344, 256, xof=False, S=S, function_name="ParallelHash")

def parallelhash256(X: str, B: int, L: int, S: str = '') -> str:
    return parallelhash_core(X, B, L, 1088, 512, xof=False, S=S, function_name="ParallelHash")

def parallelhashxof128(X: str, B: int, L: int, S: str = '') -> str:
    return parallelhash_core(X, B, L, 1344, 256, xof=True, S=S, function_name="ParallelHash")

def parallelhashxof256(X: str, B: int, L: int, S: str = '') -> str:
    return parallelhash_core(X, B, L, 1088, 512, xof=True, S=S, function_name="ParallelHash")


In [64]:
msg = "The quick brown fox jumps over the lazy dog"
B = 16
print("ParallelHash128:", parallelhash128(msg, B, 256, ""))
print("ParallelHash256:", parallelhash256(msg, B, 512, ""))
print("ParallelHashXOF128:", parallelhashxof128(msg, B, 1024, ""))
print("ParallelHashXOF256:", parallelhashxof256(msg, B, 1024, ""))

ParallelHash128: 0ac009e830c772320ddbbca4aa9c48dace4e28073f2a9af19e44dfea59860eaa
ParallelHash256: 7731561a0414dcd6f0773b8cff6fcb62a14fbd31ce6fe8c4ad93f9d613e7387feb8b9a78df667f66327f63553d1f539bbfbd54160bb0d0f7ed9effffb4c9814b
ParallelHashXOF128: 697daaeff822b7957d3553293c3c008922153392ec5e1a32b6435d85053ba6d3a79a0a1f4f487b6c4c5dbf842c55f6933d8f5560ad94c80b616c4e663a5f9694a10298791cda1b4cb34ecaaa0f2c90a2ade859b00a141866a1b0eb44f22a46ada6bd338156b82e9814e7bd2216c3557ad36b2cd831f54b8ce4aae138b1d9cd94
ParallelHashXOF256: fd4b30a38921a13c42c795bf6f1e6a49495945b60beb8fdfd7986181d70e92160f5607ccaf8276388e18b2d9b2b1f52ef76f70a03c14f8ea0abf80ce0bbe02ffccf6cd342385ba93a73927242472bab37783aae2758ae34b1d098463687dbef41d07c4522f88a2513a8e1e13e35b0afe0dac2b7700ba87dd85aca7f1e14d4162


In [127]:
import Crypto
# help(Crypto.Hash)

In [97]:
import random
import string
from Crypto.Hash import cSHAKE128 as PyCrypto_cSHAKE128
from Crypto.Hash import cSHAKE256 as PyCrypto_cSHAKE256
from Crypto.Hash import TupleHash128 as PyCrypto_TupleHash128
from Crypto.Hash import TupleHash256 as PyCrypto_TupleHash256
from Crypto.Hash import KMAC128 as PyCrypto_KMAC128
from Crypto.Hash import KMAC256 as PyCrypto_KMAC256

def generate_random_words(n=50, min_len=20, max_len=50):
    return [
        ''.join(random.choices(string.ascii_letters + string.digits, k=random.randint(min_len, max_len)))
        for _ in range(n)
    ]

def test_all_hashes():
    words = generate_random_words()
    # Ensure KMAC keys are at least 16 bytes
    kmac128_key = b"this_is_16_bytes"
    kmac256_key = b"this_is_32_bytes_long_for_sure"*10


    passed = {
        "cSHAKE128": 0, "cSHAKE256": 0,
        "KMAC128": 0, "KMAC256": 0,
        "TupleHash128": 0, "TupleHash256": 0
    }

    for i, word in enumerate(words):
        print(f"\n🔍 Test {i+1}: '{word}'")

        # --- cSHAKE128 ---
        try:
            c1 = cshake128(word, 256, '', '')
            c2 = PyCrypto_cSHAKE128.new(custom=b'').update(word.encode()).read(32).hex()
            match = c1 == c2
            print("✅ cSHAKE128 Match:", match)
            if match: passed["cSHAKE128"] += 1
        except Exception as e:
            print("❌ cSHAKE128 Error:", e)

        # --- cSHAKE256 ---
        try:
            c1 = cshake256(word, 512, '', '')
            c2 = PyCrypto_cSHAKE256.new(custom=b'').update(word.encode()).read(64).hex()
            match = c1 == c2
            print("✅ cSHAKE256 Match:", match)
            if match: passed["cSHAKE256"] += 1
        except Exception as e:
            print("❌ cSHAKE256 Error:", e)

        # --- KMAC128 ---
        try:
         c1 = kmac128(kmac128_key.decode(), word, 256, "")
         c2 = PyCrypto_KMAC128.new(key=kmac128_key, custom=b"", mac_len=32).update(word.encode()).hexdigest()
         match = c1 == c2
         print("✅ KMAC128 Match:", match)
         if match: passed["KMAC128"] += 1
        except Exception as e:
            print("❌ KMAC128 Error:", e)

        # --- KMAC256 ---
        try:
            c1 = kmac256(kmac256_key.decode(), word, 512, "")
            c2 = PyCrypto_KMAC256.new(key=kmac256_key, custom=b"", mac_len=64).update(word.encode()).hexdigest()
            match = c1 == c2
            print("✅ KMAC256 Match:", match)
            if match: passed["KMAC256"] += 1
        except Exception as e:
            print("❌ KMAC256 Error:", e)

        # --- TupleHash128 ---
        try:
            c1 = tuplehash128([word], 256, "")
            c2 = PyCrypto_TupleHash128.new(digest_bits=256).update(word.encode()).hexdigest()
            match = c1 == c2
            print("✅ TupleHash128 Match:", match)
            if match: passed["TupleHash128"] += 1
        except Exception as e:
            print("❌ TupleHash128 Error:", e)

        # --- TupleHash256 ---
        try:
            c1 = tuplehash256([word], 512, "")
            c2 = PyCrypto_TupleHash256.new(digest_bits=512).update(word.encode()).hexdigest()
            match = c1 == c2
            print("✅ TupleHash256 Match:", match)
            if match: passed["TupleHash256"] += 1
        except Exception as e:
            print("❌ TupleHash256 Error:", e)

    # Summary
    print("\n🔎 Test Summary (matches out of 50):")
    for name, count in passed.items():
        print(f"{name:15}: {count}/50")

if __name__ == "__main__":
    test_all_hashes()


🔍 Test 1: 'L6TZAyM80gaajQMrgHhXdu'
✅ cSHAKE128 Match: True
✅ cSHAKE256 Match: True
✅ KMAC128 Match: True
✅ KMAC256 Match: True
✅ TupleHash128 Match: True
✅ TupleHash256 Match: True

🔍 Test 2: 'I0g85uz0vJS8ciXWuhxugZnKeyt0HRVCLv4673unuuyAx'
✅ cSHAKE128 Match: True
✅ cSHAKE256 Match: True
✅ KMAC128 Match: True
✅ KMAC256 Match: True
✅ TupleHash128 Match: True
✅ TupleHash256 Match: True

🔍 Test 3: 'H2qj32DgPW4hxighWihhkbA2ml'
✅ cSHAKE128 Match: True
✅ cSHAKE256 Match: True
✅ KMAC128 Match: True
✅ KMAC256 Match: True
✅ TupleHash128 Match: True
✅ TupleHash256 Match: True

🔍 Test 4: 'EX4iZAcYBbFArtnGgpjJwqIiVNFEtG6AlVFCJsDXoXkgsGV'
✅ cSHAKE128 Match: True
✅ cSHAKE256 Match: True
✅ KMAC128 Match: True
✅ KMAC256 Match: True
✅ TupleHash128 Match: True
✅ TupleHash256 Match: True

🔍 Test 5: 'IKGmIXoN0XTFy3GhNXq5btXXaiQczBGHb6MUplk1auLxnwN3e'
✅ cSHAKE128 Match: True
✅ cSHAKE256 Match: True
✅ KMAC128 Match: True
✅ KMAC256 Match: True
✅ TupleHash128 Match: True
✅ TupleHash256 Match: True

🔍 Test 6: 